ckexec.c

自己写的入侵检测源码

#ifndef MODULE
#define MODULE
#endif
#ifndef __KERNEL__
#define __KERNEL__
#endif

#include <linux/module.h>
#include <linux/kernel.h>
#include <asm/unistd.h>
#include <sys/syscall.h>
#include <linux/types.h>
#include <linux/dirent.h>
#include <linux/string.h>
#include <linux/fs.h>
#include <linux/slab.h>  
#include <linux/init.h>
#include <linux/string.h>
#include "acd_define.h"
#include "fileinfo.c"
#define REJECT -1

extern void* sys_call_table[];	/* we can access sys_call_table  */
int (*orig_execve)(struct pt_regs regs);//the execve origin syscall

int check_exec(struct pt_regs regs)
{//use this funtion capture the execve system call
	
	int flag = 0;
	int error = 0;//define variable error because macro will use it 
	int syscall_num = 11;
	char *para_ebx = NULL;//this is filename
	int cpid = 0;//current process id
	
	
	//and we want to know this program pid
	cpid=current->pid;
	
	//now we know eax=11,ebx=filename
	para_ebx=getname((char *)regs.ebx);
	
	error = PTR_ERR(para_ebx);
	if(IS_ERR(para_ebx))
		goto out;	
	
	//test eax and ebx value and pid
	//printk("\nFilename is %s, suid is %d\n",para_ebx,current->suid);
	//printk("\n+--------------------+-------+-------+---------+-------+-------+\n");
	flag=transfer_para(syscall_num,para_ebx,cpid);//8110 entry point
	//printk("+--------------------+-------+-------+---------+-------+-------+\n");
	if(flag == REJECT)
		goto out;
	error=do_execve(para_ebx,(char **)regs.ecx,(char **)regs.edx,&regs);
	putname(para_ebx);
out:
	return error;
}


int init_module()
{
	
	orig_execve=sys_call_table[SYS_execve];	// save origin system call
	
	sys_call_table[SYS_execve]=check_exec;	// check_exec replace SYS_execve
	
	return 0;
}

int cleanup_module()
{
	
	sys_call_table[SYS_execve]=orig_execve;	//set back syscall to orig_exec
	
	return 0;
}